Gate
Token-based access control for any web application. One gateway, one line of middleware, done.
One Key, Every Door
derilinx-labs runs a growing number of tools, each on its own subdomain: february.derilinx-labs.com, ontology.derilinx-labs.com, oireachtas.derilinx-labs.com. Some are public. Some are previews shared with specific people — a client evaluating a tool, a collaborator testing a feature, a researcher given early access. Each person needs access to specific tools, for a specific period, revocable at any time.
Gate is the answer. It’s a central authentication service that manages access tokens across every subdomain. Each token is tied to a person, a project, and an expiry date. Share a link containing the token; the recipient clicks it, Gate validates it, sets a cookie, and the person is in. No accounts, no passwords, no registration forms. When the token expires or is revoked, access stops instantly.
Any derilinx-labs Django project protects itself by adding one middleware class and three settings. Gate handles everything else: validation, cookie management, caching, and the polite “access denied” page for anyone without a valid token.
A Visitor Badge for Websites
Imagine a building with lots of rooms, and each room has a different project inside. Some rooms are open to everyone. Others need a visitor badge. Gate is the reception desk. When someone is invited, Gate prints a badge (a special link) and sends it to them. When they arrive, Gate checks their badge, opens the door, and notes down the visit. If the badge expires or the host says “cancel that badge,” Gate won’t let them in any more. One reception desk, every room in the building.
Token Lifecycle
1. Issue
An administrator creates a token via the admin interface or CLI. The token specifies: recipient name and email, project (subdomain), duration (default 30 days), and whether it auto-extends on use. Gate generates a cryptographically secure URL-safe string and produces a share URL: https://project.derilinx-labs.com?gate=TOKEN.
2. Access
The recipient clicks the share URL. The Gate middleware on the target project intercepts the request, extracts the token from the URL parameter, and validates it against the Gate API. If valid: set a secure, httponly cookie, redirect to the clean URL (without the token parameter). The user sees the project.
3. Subsequent visits
On return visits, the middleware reads the token from the cookie instead of the URL. Validation is cached for one minute to avoid per-request API calls. The user experience is seamless — they just visit the URL.
4. Revoke or expire
Tokens can be revoked instantly via the admin interface (individual or bulk). Expired tokens fail validation automatically. Auto-extending tokens renew their expiry on each use, creating a sliding window of access.
5. Audit
Every successful access creates an AccessLog entry: timestamp, token, subdomain. The admin interface shows access history inline with each token.
Controlled Sharing
Client preview
A prospective client wants to evaluate February before committing. The account manager creates a 14-day token, sends the share URL by email. The client clicks the link and has immediate access. After 14 days, access expires automatically. No follow-up needed.
Collaborator access
A research partner needs access to the GeoSPARQL Endpoint for the duration of a project. A 90-day auto-extending token ensures access continues as long as they’re actively using it. If they stop visiting for 90 days, it expires. The admin can see usage frequency in the access logs.
Internal tool gating
A new derilinx-labs project isn’t ready for public access. The project is set to token_gated in Gate. Only team members with tokens can access it. When it’s ready to go public, the admin switches the project to public — no tokens needed, no middleware changes, instant.
Under the Bonnet
Models
Project: name, subdomain (unique), visibility (public or token_gated). Token: recipient name/email, project (FK), token string (URL-safe, 43 chars, indexed), expiry, duration_days, auto_extend flag, active flag, access_count, last_used_at. AccessLog: token (FK), timestamp, subdomain.
API
POST /api/validate/ — validate a token for a subdomain. Returns validity, expiry, recipient info, or denial reason. GET /api/project-visibility/ — check if a subdomain is public or token-gated. All endpoints require X-Gate-Api-Key header.
Middleware
Drop-in Django middleware. Three required settings: GATE_URL, GATE_API_KEY, GATE_SUBDOMAIN. Leave GATE_URL empty to disable in development. Visibility cached 5 minutes; token validation cached 1 minute. Fail-safe: if Gate is unreachable, default to token-gated.
Cookie
Name: gate_token. Domain: .derilinx-labs.com (cross-subdomain). Flags: httponly, secure, samesite=Lax. Duration: 30 days.
Stack
Django 5.1, PostgreSQL 16, Docker. Port 8002. Admin interface for token management with bulk actions (revoke, extend, regenerate).